Big Bank Blunder from Down Under

Despite the awareness that they are dutybound to protect the sensitive information of their customers, banks continue to suffer data breaches as the result of human error, as was the case for the Commonwealth Bank of Australia (CBA). The Sydney Morning Herald reported that CBA breached the privacy of 10,000 customers by sending their data to the wrong email addresses. 

After conducting an information security investigation, the bank learned that 651 internal emails were incorrectly sent to email addresses at the wrong domain from 2016 to 2017. The sender inadvertently omitted the ".au" on the end of the intended domain,

In order to prevent these human errors, CBA purchased the domain name in April 2017; however, the investigation looked into events that would have occurred prior to the takeover when the domain was used by a US cybersecurity firm. 

CBA revealed that the 651 emails were indeed sent during that time frame and contained the data of 10,000 customers. "An extensive and detailed investigation by CBA confirmed the contents of all 651 internal emails were automatically deleted by the domain owner's system, which only collected information on CBA sender and recipient email addresses and the subject of the email," the bank wrote in a 1 June 2018 statement.

The bank's investigation confirmed that no customer data was compromised as a result of the mistake, but it accepted responsibility and acknowledged that customers want to be informed about data security and privacy issues. To that end, the bank has started to notify affected customers. 

In the aftermath of the EU's GDPR compliance deadline, this type of privacy breach will continue to get more scrutiny, especially as today's large banks and enterprises serve global clientele. The moral of the story, said Anthony James, CMO at CipherCloud, is that customer data must be carefully protected. 

"Note that if the breach involved even the records of one European customer, then they would have also likely been subject to 72-hour notification requirement and extremely onerous provisions of the EU General Data Protection Regulation," James said. "New best practices require a deeper focus on data and threat protection, especially in support of challenging new compliance requirements.”

What’s Hot on Infosecurity Magazine?